Overview

overview

8

Static

static

3

40d122ff0c...a9.exe

windows7-x64

8

40d122ff0c...a9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    3s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 22:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    40d122ff0caa0962286bfa8e4a4c2ca9.exe

  • Size

    3.6MB

  • MD5

    40d122ff0caa0962286bfa8e4a4c2ca9

  • SHA1

    159606b14e6705eaa918704d45a51a687693d68a

  • SHA256

    5f8f65f16ae7816e0191cfa78728f31074d5b2e979f52b71876bf35e91ae5882

  • SHA512

    c7124b18d40a4484138df70d11b7c8ca6dd6d8ab6c400a59182dc2f881f769b303b1a956f27d3cf589b130e650564a43f17500a40be817e5d6276cb7c1bb9b22

  • SSDEEP

    98304:zRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/g71NjLYV:zkj8NBFwxpNOuk2HLYV

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40d122ff0caa0962286bfa8e4a4c2ca9.exe
    "C:\Users\Admin\AppData\Local\Temp\40d122ff0caa0962286bfa8e4a4c2ca9.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3700
    • C:\Users\Admin\AppData\Local\Temp\5BhQOniO8QJ.exe
      "C:\Users\Admin\AppData\Local\Temp\5BhQOniO8QJ.exe" QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXDQwZDEyMmZmMGNhYTA5NjIyODZiZmE4ZTRhNGMyY2E5LmV4ZQ==
      2⤵
        PID:1280
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /C sc stop "SysMain" & sc config "SysMain" start=disabled
          3⤵
            PID:2180
            • C:\Windows\system32\sc.exe
              sc config "SysMain" start=disabled
              4⤵
              • Launches sc.exe
              PID:636
            • C:\Windows\system32\sc.exe
              sc stop "SysMain"
              4⤵
              • Launches sc.exe
              PID:2080

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1280-36-0x00000189B3170000-0x00000189B317E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1280-33-0x0000018997220000-0x0000018997226000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1280-41-0x00000189AFA50000-0x00000189AFA60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1280-40-0x00000189AFA50000-0x00000189AFA60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1280-27-0x00000189950F0000-0x0000018995414000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1280-39-0x00000189AFA50000-0x00000189AFA60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1280-38-0x00007FF9AC9F0000-0x00007FF9AD4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1280-35-0x00000189B31B0000-0x00000189B31E8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1280-34-0x00000189AFA50000-0x00000189AFA60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1280-32-0x00000189B05F0000-0x00000189B0662000-memory.dmp

        Filesize

        456KB

        Download

      • memory/1280-31-0x00000189AFA50000-0x00000189AFA60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1280-28-0x00007FF9AC9F0000-0x00007FF9AD4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1280-37-0x00000189AFA50000-0x00000189AFA60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3700-0-0x000001F61EB50000-0x000001F61EE74000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/3700-13-0x000001F639470000-0x000001F639474000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3700-11-0x000001F63B580000-0x000001F63B63A000-memory.dmp

        Filesize

        744KB

        Download

      • memory/3700-30-0x00007FF9AC9F0000-0x00007FF9AD4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3700-9-0x000001F620C20000-0x000001F620C26000-memory.dmp

        Filesize

        24KB

        Download

      • memory/3700-1-0x00007FF9AC9F0000-0x00007FF9AD4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3700-2-0x000001F639680000-0x000001F639970000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/3700-12-0x000001F639440000-0x000001F639472000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3700-10-0x000001F639410000-0x000001F639418000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3700-7-0x000001F620C10000-0x000001F620C16000-memory.dmp

        Filesize

        24KB

        Download

      • memory/3700-8-0x000001F6395A0000-0x000001F63963C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3700-6-0x000001F620A70000-0x000001F620A74000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3700-5-0x000001F63B080000-0x000001F63B4B8000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/3700-4-0x000001F6209D0000-0x000001F620A00000-memory.dmp

        Filesize

        192KB

        Download

      • memory/3700-3-0x000001F639670000-0x000001F639680000-memory.dmp

        Filesize

        64KB

        Download